Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72158
Return-Path: <swhitemanlistens-software@cypressintegrated.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93768 invoked from network); 3 Feb 2014 23:57:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 23:57:10 -0000
Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender)
X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com
X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com  
Received: from [173.1.104.101] ([173.1.104.101:54074] helo=rproxy2-b-iv.figureone.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3D/DF-35654-5DC20F25 for <internals@lists.php.net>; Mon, 03 Feb 2014 18:57:09 -0500
Received: from bad.dop.co ([108.12.130.219])
        by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id PZI49903
        for <internals@lists.php.net>; Mon, 03 Feb 2014 15:57:03 -0800
Date: Mon, 3 Feb 2014 18:56:46 -0500
Reply-To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
X-Priority: 3 (Normal)
Message-ID: <94915413.20140203185646@cypressintegrated.com>
To: =?utf-8?Q?P=C3=A1draic_Brady?= <internals@lists.php.net>
In-Reply-To: <CALwr1Gmy2amRoWPpfmY41LJboAqnJp0pFcgYN0owwuAy_6fP4g@mail.gmail.com>
References: <CAH8Mpn=Kw9CCmpiXm-UE2s=GKFroTGczTr=ENczuAeiTCH6QwQ@mail.gmail.com> <344075933.20140203143339@figureone.com> <CAH8MpnkuFDNzYi4enqqtQcmis08LyTWojV3DZrc_Mwim=aqvRQ@mail.gmail.com> <CAH8MpnnXag49Yw9yE2p=+h3X2caz6wwfiT8kLf8H_WxrwtjVNw@mail.gmail.com> <10337340.20140203171726@cypressintegrated.com> <CALwr1Gmy2amRoWPpfmY41LJboAqnJp0pFcgYN0owwuAy_6fP4g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: Windows Peer Verification
From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman)

> I'm sorry, but this is simply outrageous. It is a programmer's
> responsibility to code securely. It's not absurd, it's reality. If
> you can't program securely, you shouldn't be programming. 

No, the reality is that (most) PHP users (most of whom are consuming
someone else's code to some degree) assume that making an SSL
connection means "secure."

It is absurd to claim otherwise. In fact, _we are agreeing that that
assumption should always have been correct_ by changing the default
behavior in PHP!  

How can you possibly "blame" users and "fix" the behavior at the same
time?

> Your blaming of PHP is significantly misplaced. 

No, it is not. 

If it were, this patch would not exist, for it has ALWAYS been
possible to create a peer-verified outbound connection from PHP. 

You cannot at once place blame only on the developer and make a core
change so the language is "the way it should always have been."

-- S.